Reverse Engineering Malware Binary Obfuscation and Protection
|
|
- Blanche Smith
- 6 years ago
- Views:
Transcription
1 Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com
2 Binary Obfuscation and Protection What is covered in this presentation: Runtime packers Compression algorithms Packer identification How to unpack Unpacking examples on simple systems Custom protection systems Java/DEX and JavaScript shrinkers and obfuscators are not covered here! 2
3 Overview of runtime packers Original purpose: reduce size on disk Runtime packer combines a compressed executable file with a decompressor in a single executable file Usually decompression is done in-memory Because the data is compressed, it usually not clear-text, also acting as protective layer Packers are also used for protecting executables against debugging, dumping and disassembling Most modern malware use some sort of runtime packer If static analysis of malware is needed, protective layer(s) must be opened Tens of different runtime packers easily available Some advanced systems are commercial 3
4 Compression algorithms Statistical Data symbols are replaced with symbols requiring smaller amount of data Common symbols are presented with fewer bits than less common ones Symbol table is included with the data Example: Huffman coding Dictionary-based Data symbols are stored in a dictionary Compressed data references to the dictionary using offset and length Static: dictionary included with the data Sliding window: dictionary is based on previously seen input data Example: LZ 4
5 Common packers UPX (Ultimate Packer for executables). Simple runtime packer. Supports multiple target platforms. Compression algorithms: UCL, LZMA (both LZbased dictionary models) FSG: Simple packer for Win32. Compression: aplib (LZ-based) MEW: Simple packer for Win32 (aplib) NSPACK: Simple packer for Win32 (LZMA) UPACK: Simple packer for Win32 (aplib) 5
6 Simple packers Most common packers are very simple (UPX, FSG etc.) Single-process, (usually) single-thread Single-layer compression/encryption Might use some trivial anti-debug tricks Doesn t modify the source code itself (works at link-level) Implementation not necessarily simple! 6
7 Complex packers Uses multiple processes and threads Multi-layer encryption (page, routine, block) Advanced anti-debugging techniques Code abstraction (metamorphic, virtual machines etc.) Examples: Armadillo, Sdprotect, ExeCrypt, VMProtect 7
8 Packer platforms Almost all packers run on Windows and DOS UPX is a notable exception (Linux, OSX, BSD, different CPU platforms) Android: UPX supports Linux/ARM, so at least in theory Android native shared libraries could be packed OT: Classes in DEX files can be packed with Java packers and then converted to Dalvik 8
9 Anatomy of typical packed file Weird PE section names Sections are very dense (high Shannon s entropy) Small amount of imported functions Entry code looks bogus (HT Demo) 9
10 How typical packer runtime works 1. Original data is located somewhere in the packer code data section 2. Original data is uncompressed to the originally linked location 3. Control is transferred to original code entry point (OEP) 10
11 Anti-* tricks Complex packers utilize lots of tricks to fool debuggers, disassemblers, dumpers and emulators Example anti-debugging trick: debug-bit in PEB (Windows API: IsDebuggerPresent) For more details, see lecture slides Dynamic Analysis (PEB demo) 11
12 How to identify packers Known characteristics of PE envelope (section names, entry point code etc.) PE identification utilities (for example: PEiD) Not foolproof! 12
13 How to unpack Statically Unpacking without actually running the file Algorithm-specific Very difficult and time-consuming to implement Fast, reliable System-independent Dynamically Generic Low-cost, easy to implement Needs to be run on native platform Combined approach (emulators) Flexibility of dynamic unpacking + security of static unpacking Extremely hard to implement 13
14 Static unpacking Requires knowledge about the routines and algorithms used by the packer Unpacking is basically just static implementation of the work done by unpacker stub when the file is run: Locate the original data Uncompress and/or decrypt the data Fix imports, exports, resources etc. data structures Some packers include unpacker that can completely restore the original file (well, at least UPX has it with d option) The file is not run - secure and fast (UPX + PEID demo) 14
15 Dynamic unpacking Idea: let the program run on a real system and unpack itself Needs isolated, real machine (VMWare might not be good enough!) Basic tools are freely available (hex editors, debuggers etc.) 15
16 Dynamic unpacking with debugger Packed file is opened with debugger, or debugger is attached to already running target Let the packer stub run and unpack the original program How to get control: Set breakpoints in known Win32 API s Just run and let the program handle exceptions Break in if program continues running Save the unpacked data to disk or analyze using tools provided by the debugger Problems with debugger: Debugger detection (PEB debug bit, anti-debug tricks etc.) Debugger attacks (throwing exceptions etc.) 16
17 Debugger automation with scripting Debuggers can be extended with flexible scripting languages like python Any debugging task can be automated: unpacking, decrypting strings, etc. Debuggers that support python scripting: Immunity debugger Python plugin available for OllyDbg GDB IDA debugger Other scripting languages Windbg scripting OllyDbg scripting plugins (several languages) Python debugger module for Windows: PaiMei, reverse engineering framework includes PyDbg module F-secure proprietary python Win32 debugger using ctypes 17
18 Dynamic unpacking with dumping Run the file Dump the process memory on disk, pseudo code: void Dump(DWORD pid) { BYTE buf[page_size]; DWORD address, written; HANDLE hfile = CreateFile("dump.dat", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); HANDLE hprocess = OpenProcess(PROCESS_VM_READ, FALSE, pid); for (address = 0; address < 0x ; address += PAGE_SIZE) { if (ReadProcessMemory(hProcess, (LPVOID)address, buf, PAGE_SIZE, NULL)) { WriteFile(hFile, buf, PAGE_SIZE, &written, NULL); } } } 18
19 PE reconstruction Dumped image is more usable if it can be opened with RE tools like IDA PE envelope needs to be build around the dumped image: The image can be mapped as a single section Original Entry Point (OEP) needs to be figured out Import Address Table (IAT) needs to be reconstructed IAT reconstruction can cause lot of problems: Packers build IAT dynamically IAT entries may not be direct addresses to the imported function, it can be some kind of trampoline OEP can be tricky to find Tools like ImpRec and OllyDump can automate the reconstruction process 19
20 Examples: unpacking simple packers Try to identify the packer based on PE characteristics Use static unpacking tools (if available) Use dynamic methods (OllyDbg/Immunity) (Demo) 20
21 If this looks too simple Live unpacking of simple envelopes is easy, BUT... Imports are usually lost in the unpacking process Debuggers are often very unreliable, they can be detected (even when attaching!) Complex protection systems are becoming more popular Malware can also use custom protection systems 21
22 Complex protection system example: VMProtect Protects selected parts of the program with virtual machine Also has additional layers of protection: obfuscation, anti-debugging etc. (Demo) 22
23 Custom protections systems Usually works at compiler-level (integrates with the source code) Most common case is data encryption with some simple algorithm, like bitwise ADD/XOR/etc. Using a non-common language, like Visual Basic can also be considered as a protection system Sometimes a bit heavier toolset is required: IDA, IDAPython (python scripting for IDA) Live unpacking with debuggers might also solve some custom system cases as well! 23
24 IDA automation IDA can be automated with several programming environments: IDA plugin interface (programming language: C/C++) IDC, IDA C-like scripting language IDAPython, python bindings to IDA plugin interface Example usage: Reading and modifying the IDA database Renaming functions, commenting Graphing, statistics New processor and loader modules (plugin interface) 24
25 Simple decryption loop with IDAC Bit-wise XOR over a given address range static decrypt(from, size, key) { auto i, x; // we define the variables for ( i=0; i < size; i=i+1 ) { x = Byte(from); // fetch the byte x = (x^key); // decrypt it PatchByte(from,x); // put it back from = from + 1; // next byte } } 25
26 Example custom system: Bobic worm string encryption 26
27 Conclusions Live unpacking is easy and cost-effective way to handle most malware For handling complex protection systems, custom decryptors, tracers and memory dumpers must be implemented Thanks for your patience! 27
28 Further reading Wikipedia on runtime packing - UPX - IDAPython - Runtime Packers: The Hidden Problem? - The Art of Unpacking /Yason/Presentation/bh-usa-07-yason.pdf Bobic worm description: 28
29
Reverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationBackground. How it works. Parsing. Virtual Deobfuscator
Background The Virtual Deobfuscator was developed as part of the DARPA Cyber Fast Track program. The goal was to create a tool that could remove virtual machine (VM) based protections from malware. We
More informationImplementing your own generic unpacker
HITB Singapore 2015 Julien Lenoir - julien.lenoir@airbus.com October 14, 2015 Outline 1 Introduction 2 Test driven design 3 Fine tune algorithm 4 Demo 5 Results 6 Conclusion October 14, 2015 2 Outline
More informationTim Ebringer The university of Melbourne, Australia Li Sun RMIT university, Australia Serdar Boztas RMIT university, Australia VB 2008 Ottawa,
A FAST RANDOMNESS TEST THAT PRESERVES LOCAL DETAIL Tim Ebringer The university of Melbourne, Australia Li Sun RMIT university, Australia Serdar Boztas RMIT university, Australia VB 2008 Ottawa, Canada,
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationPortable Executable format, TitaniumCore report and packers. Katja Pericin
Portable Executable format, TitaniumCore report and packers Katja Pericin Portable Executable format 3/21/2018 2 Introduction file? operating system abstraction for a data container segment(s) of physical
More informationPokas x86 Emulator for Generic Unpacking
BLUE KAIZEN CENTER OF IT SECURITY Cairo Security Camp 2010 Pokas x86 Emulator for Generic Unpacking Subject : This document gives the user a problem, its solution concept, Previous Solutions, Pokas x86
More informationAgenda. Motivation Generic unpacking Typical problems Results
Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic
More informationIntro to Cracking and Unpacking. Nathan Rittenhouse
Intro to Cracking and Unpacking Nathan Rittenhouse nathan_@mit.edu Keygenning Take this crackme: http://crackmes.de/users/moofy/crackme_2 Write a key generator Process Watch where user data is inputted
More informationT Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
More informationFast & Furious reverse engineering TitanEngine. titan.reversinglabs.com
Fast & Furious reverse engineering TitanEngine titan.reversinglabs.com Contents Introduction to TitanEngine... 3 Introduction to static unpackers... 4 Introduction to dynamic unpackers... 5 Introduction
More informationMalware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware
Malware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware Protecting the irreplaceable f-secure.com Agenda Debugger basics Introduction Scenarios and tools How debuggers work Debug
More informationCracking, The Anti. Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta
Cracking, The Anti Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta Email: dbug0009@um.edu.mt Abstract This paper will describe some techniques used to protect
More informationT Hands-on 2. User-mode debuggers OllyDbg
T-110.6220 Hands-on 2 User-mode debuggers OllyDbg Disassemblers vs debuggers Static analysis / Disassemblers Theoretic approach Give us a static view of the binary Example: IDA Dynamic analysis / Debuggers
More informationPacker Analysis Report-Debugging and unpacking the NsPack 3.4 and 3.7 packer.
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Packer
More informationA Security Microcosm Attacking and Defending Shiva
A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun Clowes Presented by Shaun Clowes shaun@securereality.com.au What is Shiva? Shiva is an executable encryptor Encrypted
More informationlike a boss Automatically Extracting Obfuscated Strings from Malware
like a boss Automatically Extracting Obfuscated Strings from Malware d41d8cd98f00b204e9800998ecf8427e a5ca7e7281d8b8a570a529895106b1fa PE file format Imports Exports Section metadata strings.exe PE
More informationReverse Engineering with IDA Pro. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering with IDA Pro CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Reversing Techniques Static Analysis Dynamic Analysis 3 Reversing Techniques Static Analysis (e.g., strings,
More informationAnalysis and Visualization of Common Packers
Analysis and Visualization of Common Packers PowerOfCommunity, Seoul Ero Carrera - ero.carrera@gmail.com Reverse Engineer at zynamics GmbH Chief Research Officer at VirusTotal Introduction An historical
More informationOwning Command and Control: Reverse Engineering Malware. Risk Mitigators
Owning Command and Control: Reverse Engineering Malware Agenda 1- About Synapse-labs a) Bio's b) Synapse-labs 2- Debuggers (Immunity & OllyDBG) 3- Assembler Primer 4- PE (Portable Executable) Structure
More information06 - Anti Dynamic Analysis
CYS5120 - Malware Analysis Bahcesehir University Cyber Security Msc Program Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2 1 ozgur.catak@tubitak.gov.tr 2 mehmetcan.doslu@tubitak.gov.tr 2017-2018 Fall Table
More informationDanny Quist. Blackhat USA 2008
Temporal Reverse Engineering Danny Quist Colin Ames Blackhat USA 2008 1 Danny Quist Co-founder Offensive Computing, LLC Ph.D. Candidate at New Mexico Tech Reverse Engineering i Instructor Infosec Institute
More informationGeneral Unpacking Overview and Techniques
Bachelor project General Unpacking Overview and Techniques Author: Danut Niculae Supervisor: Jesper Andersson Date: 2015-05-18 Course code: 2DV00E, 15 credits Level: Bachelor Subject: Computer Science
More informationDSD-Tracer. Boris Lau, SophosLabs Virus Bulletin 2007, Vienna
DSD-Tracer Boris Lau, SophosLabs Virus Bulletin 2007, Vienna What does DSD stand for? Dynamic Static DSD A framework which allows data to be passed between dynamic and static analysis stages seamlessly
More informationTasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones
Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently
More informationMobileFindr: Function Similarity Identification for Reversing Mobile Binaries. Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, Kang Li
MobileFindr: Function Similarity Identification for Reversing Mobile Binaries Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, Kang Li Reverse Engineering The process of taking a software program s binary
More informationA Survey of Obfuscations in Prevalent Packer Tools
A Survey of Obfuscations in Prevalent Packer Tools Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin March 26, 2012 1 Types of program analysis Source code Friendly binary Uncooperative
More informationVirus Analysis. Analysis Environment & Tools. Anti-Virus Lab. Key Requirements
Virus Analysis Techniques, Tools, and Research Issues Part II: Tools Michael Venable Arun Lakhotia, USA Analysis Environment & Tools AV Lab and Procedures Virus Analysis Process Static Analysis Tools Process
More information64-bit Imports Rebuilding and Unpacking
64-bit Imports Rebuilding and Unpacking Sebastien Doucet ncircle 2010. All rights reserved. Who am I? Security Research Engineer at ncircle in Toronto My accent is from Montreal Used
More informationThe new signature generation method based on an unpacking algorithm and procedure for a packer detection
The new signature generation method based on an unpacking algorithm and procedure for a packer detection Donghwi Shin 1, Chaetae Im 2, Hyuncheol Jeong 2, Seungjoo Kim 1, Dongho Won 1 1 Sungkyunkwan University
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationCTF Workshop. Crim Synopsys, Inc. 1
CTF Workshop Crim2018 31.10.2018 2018 Synopsys, Inc. 1 CTF (Capture the Flag) Capture the Flag (CTF) is a computer security competition. CTF are usually designed test and teach computer security skills.
More informationCHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 2: SYSTEM STRUCTURES By I-Chen Lin Textbook: Operating System Concepts 9th Ed. Chapter 2: System Structures Operating System Services User Operating System Interface System Calls Types of System
More informationAdvanced Malware Analysis Training Series.
Advanced Malware Analysis Training Series Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge
More informationChapter 2. Operating-System Structures
Chapter 2 Operating-System Structures 2.1 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System
More informationAre Your Mobile Apps Well Protected? Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic Unviersity
Are Your Mobile Apps Well Protected? Daniel Xiapu Luo csxluo@comp.polyu.edu.hk Department of Computing The Hong Kong Polytechnic Unviersity 1 What if your mobile app is reverse-engineered by others? Core
More informationMaking Dynamic Instrumentation Great Again
Making Dynamic Instrumentation Great Again Malware Research Team @ @xabiugarte [advertising space ] Deep Packer Inspector https://packerinspector.github.io https://packerinspector.com Many instrumentation
More informationMario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR
Mario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR Agenda Big and scary numbers Introduction to the binary mess out there (the problem) Packers
More informationProgram Vulnerability Analysis Using DBI
Program Vulnerability Analysis Using DBI CodeEngn Co-Administrator DDeok9@gmail.com 2011.7.2 www.codeengn.com CodeEngn ReverseEngineering Conference Outline What is DBI? Before that How? A simple example
More informationdroidcon Greece Thessaloniki September 2015
droidcon Greece Thessaloniki 10-12 September 2015 Reverse Engineering in Android Countermeasures and Tools $ whoami > Dario Incalza (@h4oxer) > Application Security Engineering Analyst > Android Developer
More informationUnpacking the Packed Unpacker
Unpacking the Packed Unpacker Reversing an Android Anti-Analysis Native Library Maddie Stone @maddiestone BlackHat USA 2018 Who am I? - Maddie Stone Reverse Engineer on Google s Android Security Team 5+
More informationAdvanced artefact analysis Advanced dynamic analysis
Advanced dynamic analysis HANDBOOK, DOCUMENT FOR TEACHERS OCTOBER 2015 www.enisa.europa.eu European Union Agency For Network And Information Security About ENISA The European Union Agency for Network and
More informationeeye Digital Security Payload Anatomy and Future Mutations Riley Hassell
Payload Anatomy and Future Mutations Riley Hassell rhassell@eeye.com What is a Payload? 2 Traditional payloads are written in assembly language and compiled to their machine code counterpart. They contain
More informationInside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
More informationDissecting APT Sample Step by Step. Kārlis Podiņš, CERT.LV
Dissecting APT Sample Step by Step Kārlis Podiņš, CERT.LV 1 New Email has Arrived Please see the document attached $ file readme.docx readme.docx: Microsoft OOXML Metadata $ exiftool readme.docx Total
More informationWhat's New in CDT 7.0? dominique dot toupin at ericsson dot com
What's New in CDT 7.0? dominique dot toupin at ericsson dot com 23 committers Project Status Representing IDE vendors, consultants, and users Downloads continue to grow Galileo SR-1: 530,000! CDT / Linux
More informationHeaps of Heap-based Memory Attacks
Heaps of Heap-based Memory Attacks Kevin Leach kleach2@gmu.edu Center for Secure Information Systems 3 October 2012 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October 2012 1 / 23 Goals During
More informationMalware Analysis and Antivirus Technologies: Antivirus Engine Basics
Malware Analysis and Antivirus Technologies: Antivirus Engine Basics Protecting the irreplaceable f-secure.com Detecting Malware Blacklisting Detecting badness Typically fairly reactive but heuristic and
More informationChapter 2: Operating-System Structures
Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System
More informationLecture 4 Processes. Dynamic Analysis. GDB
Lecture 4 Processes. Dynamic Analysis. GDB Computer and Network Security 23th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 1/45
More informationChapter 2: System Structures. Operating System Concepts 9 th Edition
Chapter 2: System Structures Silberschatz, Galvin and Gagne 2013 Chapter 2: System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs
More informationRomain Thomas - Static instrumentation based on executable file formats
Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software
More informationChapter 2: Operating-System Structures. Operating System Concepts 9 th Edition
Chapter 2: Operating-System Structures Silberschatz, Galvin and Gagne 2013 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System
More informationCS266 Software Reverse Engineering (SRE) Reversing and Patching Wintel Machine Code
CS266 Software Reverse Engineering (SRE) Reversing and Patching Wintel Machine Code Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu Department of Computer Science San José State University Spring 2015
More informationESET Research Whitepapers // January 2018 // Author: Filip Kafka ESET S GUIDE TO DEOBFUSCATING AND DEVIRTUALIZING FINFISHER
ESET Research Whitepapers // January 2018 // Author: Filip Kafka ESET S GUIDE TO DEOBFUSCATING AND DEVIRTUALIZING FINFISHER 2 CONTENTS Introduction 3 Anti-disassembly 4 FinFisher s virtual machine 7 Terms
More informationEnhanced Debugging with Traces
Enhanced Debugging with Traces An essential technique used in emulator development is a useful addition to any programmer s toolbox. Peter Phillips Creating an emulator to run old programs is a difficult
More informationReversing with Radare2.
Reversing with Radare2 pancake@overdrivecon2016 Who am I? pancake aka Sergi Alvarez i Capilla Twitter: @trufae @radareorg Web: http://rada.re Currently working as a Mobile Security Analyst at NowSecure,
More informationChapter 2: Operating-System Structures. Operating System Concepts 9 th Edit9on
Chapter 2: Operating-System Structures Operating System Concepts 9 th Edit9on Silberschatz, Galvin and Gagne 2013 Chapter 2: Operating-System Structures 1. Operating System Services 2. User Operating System
More informationChapter 2: System Structures
Chapter 2: Operating System Structures Operating System Services System Calls Chapter 2: System Structures System Programs Operating System Design and Implementation Operating System Structure Virtual
More informationSoftware Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Minsk, Belarus, Spring 2014
Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 5: Code Obfuscation II Minsk, Belarus, Spring 2014 Christian Collberg University of Arizona www.cs.arizona.edu/ collberg
More information1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques
1 Bug Hunting Bug hunting is the process of finding bugs in software or hardware. In this book, however, the term bug hunting will be used specifically to describe the process of finding security-critical
More informationDiaphora An IDA Python BinDiffing plugin
Diaphora An IDA Python BinDiffing plugin Index Introduction...2 Files distributed with the diaphora distribution...2 Running Diaphora...2 Diaphora quick start...4 Finding differences in new versions (Patch
More informationMain idea. Demonstrate how malware can increase its robustness against detection by taking advantage of the ubiquitous Graphics Processing Unit (GPU)
-Assisted Malware Giorgos Vasiliadis Michalis Polychronakis Sotiris Ioannidis ICS-FORTH, Greece Columbia University, USA ICS-FORTH, Greece Main idea Demonstrate how malware can increase its robustness
More informationAutomated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineering Sebastian Porst (sebastian.porst@zynamics.com) Christian Ketterer (cketti@gmail.com) Sebastian zynamics GmbH Lead Developer BinNavi
More informationPierre-Marc Bureau Joan Calvet - UNDERSTANDING SWIZZOR S OBFUSCATION
Pierre-Marc Bureau bureau@eset.sk Joan Calvet - j04n.calvet@gmail.com UNDERSTANDING SWIZZOR S OBFUSCATION 1 Swizzor Present since 2002! AV companies receive hundreds of new binaries daily. Nice icons :
More informationNetscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances
Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances Cast Graeme Neilson Security Consultant Aura Software Security graeme@aurasoftwaresecurity.co.nz Trailer What if a
More informationAndroid Debugging ART
Android Debugging ART Khaled JMAL 2016 / 11 / 17 2 / 24 The Dalvik Virtual Machine Up to version 4.4 KitKat, Android was based on the Dalvik Virtual Machine Java compiles into DEX code DEX code is compiled
More informationLIEF: Library to Instrument Executable Formats
RMLL 2017 Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Project Overview Demo Conclusion About Romain Thomas (rthomas@quarkslab.com)
More informationPersistent BIOS Infection
CORE SECURITY TECHNOLOGIES 2009 Persistent BIOS Infection The early bird catches the worm Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Agenda Introduction A bit of history
More informationReverse Engineering III: PE Format
Reverse Engineering III: PE Format This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationLecture 2 - Fundamental Concepts
Lecture 2 - Fundamental Concepts Instructor : Bibhas Ghoshal (bibhas.ghoshal@iiita.ac.in) Autumn Semester, 2015 Bibhas Ghoshal IOSY 332C & IOPS 332C: OS Autumn Semester, 2015 1 / 43 Lecture Outline Operating
More informationAdvances in Linux process forensics with ECFS
Advances in Linux process forensics with ECFS Quick history Wanted to design a process snapshot format native to VMA Vudu http://www.bitlackeys.org/#vmavudu ECFS proved useful for other projects as well
More informationMSRPC Auditing Tools and Techniques
DeepSec 2007 Aaron Portnoy 1 Cody Pierce 2 1 aportnoy@tippingpoint.com 2 cpierce@tippingpoint.com DeepSec Fall 2007 About Us Introduction Why Do We Care About in 2007? History of Issues Work at TippingPoint
More informationHack in the Box Trends and Tools. H D Moore
Hack in the Box 2003 Advanced Exploit Development Trends and Tools H D Moore 1 Who Who am I? Co-founder of Digital Defense Security researcher (5+ years) Projects DigitalOffense.net Metasploit.com 2 What
More informationObjectives. Chapter 2: Operating-System Structures. 2.1 Operating System Services
Objectives Chapter 2: Operating-System Structures To describe the services an operating system provides to users, processes, and other systems To discuss the various ways of structuring an operating system
More informationCS/COE 1501
CS/COE 1501 www.cs.pitt.edu/~nlf4/cs1501/ Compression What is compression? Represent the same data using less storage space Can get more use out a disk of a given size Can get more use out of memory E.g.,
More informationThe Terminator to Android Hardening Services. Yueqian Zhang, Xiapu Luo, Haoyang Yin Department of Computing The Hong Kong Polytechnic University
The Terminator to Android Hardening Services Yueqian Zhang, Xiapu Luo, Haoyang Yin Department of Computing The Hong Kong Polytechnic University 1 Source: Trend Micro Percentage of top 10 apps in each category
More informationAnother difference is that the kernel includes only the suspend to memory mechanism, and not the suspend to hard disk, which is used on PCs.
9. Android is an open-source operating system for mobile devices. Nowadays, it has more than 1.4 billion monthly active users (statistic from September 2015) and the largest share on the mobile device
More informationChapter 2: Operating-System Structures
Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls (important!) Types of System Calls (important!) System
More informationLecture 1 Introduction to Android. App Development for Mobile Devices. App Development for Mobile Devices. Announcement.
CSCE 315: Android Lectures (1/2) Dr. Jaerock Kwon App Development for Mobile Devices Jaerock Kwon, Ph.D. Assistant Professor in Computer Engineering App Development for Mobile Devices Jaerock Kwon, Ph.D.
More informationCSE 4/521 Introduction to Operating Systems. Lecture 12 Main Memory I (Background, Swapping) Summer 2018
CSE 4/521 Introduction to Operating Systems Lecture 12 Main Memory I (Background, Swapping) Summer 2018 Overview Objective: 1. To provide a detailed description of various ways of organizing memory hardware.
More informationDebugging code snippets in IDA Pro 5.6 using QEMU emulator Copyright 2010 Hex-Rays SA
Debugging code snippets in IDA Pro 5.6 using QEMU emulator Copyright 2010 Hex-Rays SA Introduction IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code
More informationOpenACC Course. Office Hour #2 Q&A
OpenACC Course Office Hour #2 Q&A Q1: How many threads does each GPU core have? A: GPU cores execute arithmetic instructions. Each core can execute one single precision floating point instruction per cycle
More informationFundamentals of Network Intrusion Analysis. Malicious Code Analysis Lab 1 Introduction to Malware Analysis
Fundamentals of Network Intrusion Analysis Malicious Code Analysis Lab 1 Introduction to Malware Analysis 1 Lab Overview Lab 1 Introduction to Malware Analysis Goals and difficulties Portable Executable
More informationLecture 14. System Integrity Services Obfuscation
Lecture 14 System Integrity Services Obfuscation OS independent integrity checking Observation Majority of critical server vulnerabilities are memory based Modern anti-virus software must scan memory Modern
More informationFlare-On 5: Challenge 7 Solution WorldOfWarcraft.exe
Flare-On 5: Challenge 7 Solution WorldOfWarcraft.exe Challenge Author: Ryan Warns Summary This challenge implements a 32-bit Windows binary meant to run in a Windows on Windows (WOW) environment. Analysis
More informationString Instructions In C Program Examples. Reverse >>>CLICK HERE<<<
String Instructions In C Program Examples Reverse The Lab2 submission instruction: (1) Please create.c file for each of your programs. (2) Please prepare a text (.txt) file, clearly describing how to run
More informationCS/COE 1501
CS/COE 1501 www.cs.pitt.edu/~lipschultz/cs1501/ Compression What is compression? Represent the same data using less storage space Can get more use out a disk of a given size Can get more use out of memory
More informationMitchell Adair January, 2014
Mitchell Adair January, 2014 Know Owen from our time at Sandia National Labs Currently work for Raytheon Founded UTDallas s Computer Security Group (CSG) in Spring 2010 Reversing, binary auditing, fuzzing,
More informationPE Infection How to Inject a dll
PE Infection How to Inject a dll In association with www.mihanit.net Thank you to my friends who help me in this research (K053,Heli, L U C I F E R(Bl4ck_Ic3)) Author: Nightmare(BioHazard) Date: 03.05.2009(88.02.13)
More informationRed Leaves implant - overview
Ahmed Zaki David Cannings March 2017 Contents 1 Handling information 3 2 Introduction 3 3 Overview 3 3.1 Summary of files analysed.......................................... 3 3.2 Execution flow................................................
More informationPacking Heat! Dimitrios A. Glynos { dimitris at census-labs.com } Census, Inc. AthCon 2012 / Athens, Greece
Packing Heat! Dimitrios A. Glynos { dimitris at census-labs.com } Census, nc. AthCon 2012 / Athens, Greece PACKNG H EAT :: ATH C ON 2012 :: C ENSUS, NC. O VERVEW NTRODUCTON E VADNG DETECTON FROM AV SOFTWARE
More informationOptiCode: Machine Code Deobfuscation for Malware Analysis
OptiCode: Machine Code Deobfuscation for Malware Analysis NGUYEN Anh Quynh, COSEINC CONFidence, Krakow - Poland 2013, May 28th 1 / 47 Agenda 1 Obfuscation problem in malware analysis
More informationChapter 2: Operating-System Structures
Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System
More informationTrojan.TDR. Udi Shamir (Ta!0n) COSEINC (AML) Advanced Malware Labs
Trojan.TDR Udi Shamir (Ta!0n) COSEINC (AML) Advanced Malware Labs Overview TDR malware targets specific companies which are using McAfee protection suites. The malware utilizes anti-debugging, antivirus
More informationCUDA Development Using NVIDIA Nsight, Eclipse Edition. David Goodwin
CUDA Development Using NVIDIA Nsight, Eclipse Edition David Goodwin NVIDIA Nsight Eclipse Edition CUDA Integrated Development Environment Project Management Edit Build Debug Profile SC'12 2 Powered By
More informationVirus Analysis. Introduction to Malware. Common Forms of Malware
Virus Analysis Techniques, Tools, and Research Issues Part I: Introduction Michael Venable Arun Lakhotia, USA Introduction to Malware Common Forms of Malware Detection Techniques Anti-Detection Techniques
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationUNPACK YOUR TROUBLES:.NET PACKER TRICKS AND COUNTERMEASURES. Marcin Hartung ESET, Poland
UNPACK YOUR TROUBLES:.NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung ESET, Poland Marcin Hartung hartung@eset.pl Eset Poland UNPACK YOUR TROUBLES:.NET PACKER TRICKS AND COUNTERMEASURES At Eset: programmer
More informationBUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, Magdeburg, Germany
BUILDING A TEST ENVIRONMENT FOR ANDROID ANTI-MALWARE TESTS Hendrik Pilz AV-TEST GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany Email hpilz@av-test.de ABSTRACT The growth of the Smartphone market over the
More information